WannaCry ransomware cyber-attack ‘may have N Korea link’

May 16, 2017

Who was behind the huge global cyber-attack? One prominent theory right now is North Korea – but what we know is far from conclusive.

You may not have heard of the Lazarus Group, but you may be aware of its work. The devastating hack on Sony Pictures in 2014, and another on a Bangladeshi bank in 2016, have both been attributed to the highly sophisticated group.

It is widely believed that the Lazarus Group worked out of China, but on behalf of the North Koreans.

Security experts are now cautiously linking the Lazarus Group to this latest attack after a discovery by Google security researcher Neel Mehta. He found similarities between code found within WannaCry – the software used in the hack – and other tools believed to have been created by the Lazarus Group in the past.

It’s a mere sliver of evidence, but there are other clues to consider too.

Security expert Prof Alan Woodward pointed out to me via email that time stamps within the original WannaCry code are set to UTC +9 – China’s time zone – and the text demanding the ransom uses what reads like machine-translated English, but a Chinese segment apparently written by a native speaker.

“As you can see it’s pretty thin and all circumstantial,” Prof Woodward said.